Gardner: And where are you joining us from today, where is your travel taking you?

Los: Well we are at the HP Protect 2012, here in beautiful Nashville, Tennessee where the sun is shining and the birds are chirping country music.

Gardner: We have a fascinating show today, we're going to learn how Liberty Mutual Insurance is building security
more deeply into its business, and with that, I’d like to introduce our
special guest, John McKenna, Vice President and Chief Information
Security Officer for Liberty Mutual.

Welcome to the show, John.

John McKenna: Glad to be here.

Gardner:
You're both at the HP Protect show in Nashville, so let’s focus on
security a bit. Why is security so important to your business now, and in what ways are you investing?

McKenna: It’s pretty clear to us that the world has changed in terms of the threats
and in terms of the kinds of technologies that we're using these days
to enable our business. Certainly, there's an obligation there, a
responsibility to protect our customers’ information as well as making
sure that our business operations can continue to support those
customers.

So, as I said, it's the realization that we
need to make sure we’re as secure as we need to be, and we can have a
very deep discussion about how secure we need to be.

In
addition to that, we have our own employees, who we feel we need to
protect to enable them to work and get the job done to support our
customers, while doing so in a very secure workplace environment.

Gardner:
You started off by saying that things are different. You recognized
that. How do you generally think things are different now than, say,
four or five years ago?

We
need to make sure that we can use those technologies and enable our
business to use them effectively to grow our business and service our
customers, while at the same time, protecting them so that we reduce the
threat. We will never eliminate it, but we can reduce the opportunities
for the bad guys to take advantage.

Los: John,
you talk about for your customers. From a security perspective, your
customers are your external customers as well as internal, correct?

McKenna:
We absolutely have our internal customer as well. We have partners,
vendors, agencies, and brokers that we're doing business with. They're
all part of the supply chain.
We have an obligation to make sure that whatever tools and technologies
we are enabling them with, we’re protecting that as well.

Gardner: John, Liberty Mutual,
of course, is a large and long-time leader in insurance. Tell us about
the breadth and depth of your company. I imagine you're quite dispersed,
as well, as with many different lines of services. Help us understand
the complexity that you're managing, when it comes to bringing security
across this full domain.

McKenna: We're a global company in the Fortune 100
list. We have $35 billion in revenue and we have about 45,000 employees
worldwide. We offer products across the personal and commercial lines
products, or P&C, and life insurance products. We’ve got
somewhere in the range of 900-plus offices globally.

So
we have lots of people. We have lots of connections and we have a lot of customers and suppliers who are all part of this business. It’s a
very complex business operation, and there are a lot of challenges to
make sure that we're supporting the customers, the business, and also
the projects that are continually trying to build new technology and new
capabilities.

In the past, security was really something that was delegated and was an afterthought in some respect.

Gardner:
Raf, when we talk about what’s different in companies, one of the
things I'm noticing that I think is pretty important when it comes to
security, is that in the past, security was really something that was
delegated and was an afterthought in some respect.

But
I'm seeing a lot of companies now that, when they're planning new
products and services, start asking those questions right-away. Is this
something we can deliver securely? Should we bring this product to
market in this way, when security concerns or privacy concerns are
something that we need to consider for our brand, and our employees’ and
our supply chain’s protection?

It seems to me that
security is now a thought right at the very beginning of planning for
new services. Is that the case in your travel?

Los:
That’s what I'm seeing, and there's still the maturation that’s
happening across the enterprise spectrum where a lot of the
organizations -- believe it or not, in 2012 -- are still standing up
formalized security organizations.

Not a given

So
security is not a given yet, where that the department exists, is
well-funded, well-staffed, and well-respected.You're getting to that
state where security is not simply an afterthought or as it was in an
organization in my past job history a decade ago or so. In those types
of companies, they would get it done and the say, "By the way, security,
if you take a look at this before we launch it, make sure it’s given
virtual thumbs up. You’ve got about 20 minutes to go."

If you can get away from that, it’s really about security teams stepping up and demonstrating that they understand the business model
and that they're there to serve the organization, rather than simply
dictate policy. It’s really a process of switching from this tight
iron-grip on control to more of a risk model.

It's sort
of a cliché, but IT technology risks understanding acceptance and
guidance. I think that’s where it’s starting to win over the business
leaders. It’s not that people don’t care about security. They do. They
just don’t know they do. It’s up to us to make sure that they understand
the context of their business.

Gardner: John,
is that ringing true for you at Liberty Mutual, where there is a more
concern and thought put into security as you're bringing products and
services to market and as you're considering what new products and
services to bring to market?

McKenna: It absolutely is. It goes from the top on down. Our board certainly is reading the headlines every day. Where there are new breaches, their first question is, "Can this happen to us?"

As we're rolling out new capabilities, we have a responsibility to protect the brand and the reputation.

So
it certainly starts there, but I think that there absolutely is an
appreciation at our strategic business units, the leadership, as well as
the IT folks that are supporting them, that as we're rolling out new
capabilities, we have a responsibility to protect the brand and the
reputation. So they're always thinking first about exactly what the
threats and the vulnerabilities might be and what we have to do about
it.

We’ve got a lot of programs underway in our
security program to try to train our developers how to develop
application, secure coding practices, and what those need to be. We’ve
got lots of work related to our security awareness program, so that the
entire population of 45,000 employees has an understanding of what their
responsibilities are to protect our company's information assets.

I
will use a term used by a colleague that Raf and I know. Our intent is
not to secure the company 100 percent. That’s impossible, but we intend
to provide responsible defenses to make sure that we are protecting the
right assets in the right way.

Los: That’s very
interesting. You mentioned something about how the board reads the
headlines, and I want to get your take on this. I'm going to venture a
guess. It’s not because you’ve managed to get them enough paper, reams
of paper with reports that say we have a thousand vulnerabilities. It’s
not why they care.

Quite a challenge

McKenna:
Absolutely right. When I say they're reading the headlines, they're
reading what’s happening to other companies. They're asking, "Can that
happen to us?" It's quite a challenge -- a challenge to give them the
view, the visibility that is right, that speaks to exactly what our
vulnerabilities are and what we are going about it. At the same time,
I'm not giving them a report of a hundred pages that lists every
potential incident or vulnerability that we uncovered.

Los:
In your organization, whose job is it? We’ve had triangulation between
the technical nomenclature, technical language, the bits and bytes, and
then the stuff at the board actually understands. I'm pretty sure SQL injection is not something that a board member would understand.

McKenna:
It's my job and it's working with my CIO to make sure that we are
communicating at the right levels and very meaningfully, and that we’ve,
in fact, got the right perspective on this ourselves. You mentioned
risk and moving to more of a risk model. We're all a bit challenged on
maturing, what that model, that framework, and those metrics are.

When
I think about how we should be investing in security at Liberty Mutual
and making the business case, sometimes it's very difficult, but I think
about it at the top level. If you think about any business model, one
approach is a product approach, where you get specific products and you
develop go-to-market strategies around those.

If you
think about the bad guys and their products, either they're looking to
steal customer information, they are looking to steal intellectual property (IP),
or they're looking to just shut down systems and disable services. So
at the high level, we need to figure out exactly where we fit in that
food chain? How much bigger risk are we at at that product level?

It's working with my CIO to make sure that we are communicating at the right levels and very meaningfully.

Gardner:
I've seen another on-ramp to getting the attention and creating enough
emphasis on the importance of security through the compliance and
regulation side of things, and certainly the payment card industry (PCI)
comes to mind. Has this been something that's worked for you at Liberty
Mutual, or you have certain compliance issues that perhaps spur along
behaviors and patterns that can lead to longer-term security benefit?

McKenna:
We're a highly-regulated industry, and PCI is perhaps a good example.
For our personal insurance business unit, we've just achieved compliance
through QSA.
We’ve worked awfully hard at that. It’s been a convenient step for us
to address some of these foundational security improvements that we
needed to make.

We're not done yet. We need to extend
that and now we're working on that, so that our entire systems have the
same level of protections and controls that are required by PCI, but
even beyond PCI. We're looking to extend those to all personal
identifiable information, any sensitive information in the company,
making sure that those assets have the same protections, the same
controls that are essential.

Gardner: Raf, do
you see that as well that the compliance issues are really on-ramp, or
an accelerant, to some of these better security practices that we've
been talking about?

Los: Absolutely. You can
look at compliance in one of two ways. You can either look at a
compliance from a peer’s security perspective and say compliance is
hogwash, just a checkbox exercise. There’s simply no reason that it's
ever going to improve security.

Being an optimist

Or
you can be an optimist. I choose to be an optimist, and take my cue
from a mentor of mine and say, "Look, it's a great way to demonstrate
that you can do the minimum due diligence, satisfy the law and the
regulation, while using it as a springboard to do other things."

And John has been talking about this too. Foundationally, I see things like PCI and other regulations, HIPAA,
taking things that security would not ordinarily get involved in. For,
example, fantastic asset management and change management and
organization.

When we think security, the first thing
that often we hear is probably not a good change management
infrastructure. Because of regulations and certain industries being
highly regulated, you have to know what's out there. You have to know
what shape it's in.

If you know your environment, the
changes that are being made, know your assets, your cycles, and where
things fall, you can much more readily consider yourself better at
security. Do you believe that?

McKenna: It's a
great plan. I think a couple of things. First of all, about leveraging
compliance, PCI specifically, to make improvements for your entire
security posture.

Because of regulations and certain industries being highly regulated,
you have to know what's out there. You have to know what shape it's in.

So we stepped back and considered, as a result of PCI mapped against the SANS
Top 20 cyber security controls, where we made improvements. Then, we
demonstrated that we made improvements in 16 of the 20 across the
enterprise. So that's one point. We use compliance to help and improve
the overall security posture.

As far as getting
involved in other parts of the IT lifecycle, absolutely -- change
management, asset management. Part of our method now for any new asset
that's been introduced into production, the first question is, is this a
PCI-related asset? And that requires certain controls and monitoring
that we have to make sure are in place.

Los: That one question probably kicks off more security conversation than you would ever have before.

McKenna: Right, absolutely agree with you.

Gardner:
I'm also looking at this larger theme of what's different now than,
say, five years ago? I often hear that the types of threats are
different. You mentioned the types of bad guys are different. We often
hear now more about nation-states being involved rather than college
students being mischievous.

I know it’s going to vary
by company to company, in vertical industry by industry, but do you
sense that you're dealing with a different type or higher level of
sophistication when it comes to threats now, John?

Level of sophistication

McKenna:
We're certainly dealing with a higher level of sophistication. We know
that. We also know that there is a lot we don't know. We certainly are
different from some industries. We don't see that we're necessarily a
direct target of nation-states, but maybe an indirect. If we're part of a
supply chain that is important, then we might still get targeted.

But
my comment to that is that we've recognized the sophistication and
we've recognized that we can't do this alone. So we've been very active,
very involved in the industry, collaborating with other companies and
even collaborating with universities.

An effort we've got underway is the Advanced Cyber Security Center,
run out of Boston. It's a partnership across public and private sectors
and university systems, trying to develop ways we can share
intelligence, share information, and improve the overall talent-base of
and knowledge base of our companies and industry.

Gardner: Raf, rising sophistication of security threats.

Los:
This is something that's been building. When we started many years ago,
hacking was a curiosity. It moved into a mischief. It moved into
individual gains and benefits. People were showing off to their
girlfriend that they hacked a website and defaced it.

There are entire cultures, entire markets, and strata of organized crime that get into this.

Those
elements have not gone away, by the way, but we've moved into a totally
new level of sophistication. The reason for that is that organized
crime got involved. The risk is a lot higher in person than it is over
the Internet. Encrypting somebody's physical hard drive and threatening
to never give it back, unless they pay you, is a lot easier when there
is nobody physically standing in front of you who can pull a gun on you.
It's just how it is.

Over the “Internet,” there is
anonymity per se. There is a certain level of perceived anonymity and
it's easier to be part of those organized crimes. There are entire
cultures, entire markets, and strata of organized crime that get into
this. I'm not even going to touch the whole thing on activism and that
whole world, because that’s an entirely different ball of wax.

But
absolutely, the threat has evolved. It's going to continue to evolve.
To use a statement that was made earlier this morning in a keynote by Bruce Schneier, technology is often adapted by the bad guys much faster than it is with good guys.

The bad guys look at it and say, "Ooh, how do we utilize it?" Good guys look at a car and say, "I can procure it, do an RFP,
and it will take me x number of months." Bad guys say, "That’s our
getaway vehicle." It’s just the way it works. It's opportunity.

Gardner: So not only more sophistication, but more types of attacks and let’s say a speedier time to risk.

Los: It’s less risk and more reward, and that’s what everybody who's “bad” wants.

Insurance approach

Gardner:
I want to go out on a limb a little bit here and only because Liberty
Mutual is a large and established insurance company. One of the things
that I’ve been curious about in the field of security is when an
insurance approach to security might arise?

For
example, when fire is a hazard, we have insurance companies that come to
a building and say, "We'll insure you, but you have to do x, y and z.
You have to subscribe to these practices and you have to put in place
this sort of infrastructure. Then, we'll come up with an insurance
policy for you." Is such a thing possible with security for enterprises.
Maybe you’re not the right person, John, but I am going to try.

McKenna:
It’s an interesting discussion, and we had some of that discussion
internally. Why aren’t we leveraging some of the practices of our
actuarial departments, or risk assessors that are out there working our
insurance products?

I recently met with a company that,
in fact, brokers cyber insurance, and we're trying to learn from them.
This is certainly not a mature product yet or mature marketplace for
cyber insurance. Yet they're applying the same types of risk
assessments, risk analysis, and metrics to determine exactly what a
company’s vulnerabilities might be, what their risk posture might be,
and exactly how to price a cyber insurance product. We're trying to
learn from that.

The fact that you don’t have the metrics is one side of this. It’s very difficult to price.

Gardner: So, Raf, an interesting concept.

Los:
Yeah, it is. As you were talking, I kept thinking that my life
insurance company knows how much they charge me based on years and years
and years and years of statistical data behind smokers, non-smokers,
people who drive fast, people who are sedentary, people who workout, eat
well, etc. Do we have enough data in the cyber world? I don’t think so,
which means this is a really interesting game of risk.

McKenna:
It’s absolutely an interesting point. The fact that you don’t have the
metrics is one side of this. It’s very difficult to price. But the fact
that they at least know what they should be measuring to come up with
that price is part of it. You need to leverage that as a risk model and
figure out what kind of assumptions you're making and what evidence can
you produce to at least verify or invalidate the model.

Los:
On the notion of insurance, I can just think of all the execs that have
listened to that, if it’s that insurance,saying, "Great. That means we
don’t have to do anything, and if something bad happens the insurance
will cover it." I can just see that as a light bulb going on over
somebody’s head.

Gardner: It’s not the way it’s
going to work. What’s going to happen is, if you don’t do that, you
won’t be able to get insurance and the companies that have insurance and
that have best practices are going to win in the market. So I don’t
think that’s too much of a risk, because that’s not the way any other
insurance works either, right John?

McKenna: That’s exactly right, yeah.

Los: I do hope it goes that way. That’s really a good driving force though.

McKenna:
Again, we're just trying to learn from it, to understand how we should
be assessing our own risk posture and prioritizing where we think the
security investment should be.

What's the benchmark?

Gardner:
If you take lots of risks, you pay more for insurance. The only
question is what you benchmark against. What is good enough? Or do you
benchmark against peers and how readily will your peers share data with
that insurance company? That’s a dangerous topic.

Gardner:
I'll just offer one insight on that -- the log data. If you're an
insurance company, you want to find out what the posture of a company
is, you have access to big data analysis, and you get access to the log
data, you might have a good opportunity to provide more of an empirical
view on a company’s posture than they are able to do, and therefore
create a value-added service. But that’s just an off-the-cuff
observation.

McKenna: I think the challenge is,
as Raf mentioned, whether we have the data or the evidence. We have
years and years and years of history around vehicle accidents, etc. We
don’t necessarily have all the correlations of data with log data and
security data that would enable us to paint those historical patterns
and understand them.

Most of our security decisions, whether it’s investment or risk tolerance levels, are really rooted in a business position.

Los:
That’s what I’d be worried about. The causality between, if you do
this, take this kind of risk, this is the likely outcome. I'm not sure
we completely understand causality quite yet.Gardner: Let’s move on to one other area before we close off, and
that would be other future-of-security trends or possibility. We
brought one into the fold, which is this notion of insurance, but is
there anything else for you, John, that’s interesting or hopeful in
terms of the future of security and risk avoidance?

McKenna:
In part this may be why I was put in this position. I have less of a
technical security background and more an understanding of our business
and how to make business decisions. We're getting much more direct
engagement of our business partners or business units in helping us to
assess risk and make decisions.

That is something that
we're still continuing to work on and we’ve seen some progress there,
very good progress. I think we'll see even more progress, so that in
fact, all of our, or most of our security decisions, whether it’s
investment or risk tolerance levels, are really rooted in a business
position.

Gardner: Raf, last word to you, any other concepts for you coming down of interest in terms of where this is heading?

Away from the silo

Los:
Security is moving in this direction already, but I think it’s going to
continue to move away from being a silo in the enterprise. It's
something that is fundamental, a thread through the fabric. The notion
of a stand-alone security team is definitely becoming outdated. It’s a
model that does not work. We demonstrated that it does not work.

It
cannot be an afterthought and all the fun clichés to go with it. What
you're going to start seeing more and more of are the nontraditional
security things. Those include, as I said, like I said change
management, log aggregation, getting more involved into business day to
day, and actually understanding.

I can't tell you how
many security people I talk to that I asked the question, "So what does
your company do?" And I get that brief moment of blank stare. If you
can’t tell me how your company survives, stays competitive, and makes
money, then really what are you doing and what are you protecting, and
more importantly, why?

That’s going to continue to
evolve, it’s just going to separate the really good folks, like John,
that get it from those who are simply pushing buttons and hoping for the
best.

Security is moving in this direction already, but I think it’s going to
continue to move away from being a silo in the enterprise.

Gardner:
I'm afraid we’ll have to leave it there, and with that let me please
thank our co-host, Rafal Los, the Chief Security Evangelist at HP
Software. Thank you so much.

Los: Thanks for having me again.

Gardner:
And I’d also like to thank our supporter for this series, HP Software
and remind our audience to carry on the dialogue with Raf through his
blog and also the Discover Performance Group on LinkedIn.

I’d
also like to extend a huge thank you to our special guest, John
McKenna, Vice President and Chief Information Security Officer for
Liberty Mutual. Thanks so much, John.

McKenna: Thank you. This was fun, enjoyed it.

Gardner:
And you all can gain more insights and information on the best of IT
performance management at www.hp.com/go/discoverperformance. And you can
also always access this another episode in our HP Discover Performance
podcast series on iTunes under BriefingsDirect.

I'm
Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host
and moderator for this ongoing discussion of IT Innovation and how it’s
making an impact on people’s lives.

Transcript
of a BriefingsDirect podcast on how insurance company Liberty Mutual
has adopted a new, heightened security posture that permeates the
development process. Copyright Interarbor Solutions, LLC, 2005-2012. All
rights reserved.